bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Feature Request re: syslog and bashhist


From: aixtools
Subject: Re: Feature Request re: syslog and bashhist
Date: Wed, 12 Aug 2015 20:48:58 +0200
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1

On 2015-08-12 3:19 PM, Chet Ramey wrote:
On 8/12/15 8:09 AM, Aharon Robbins wrote:
In article<address@hidden>,
aixtools<address@hidden>  wrote:
In short, having it included in ./configure simply give it much more
visibility - and perhaps adoption.
Personally, I think that having bash send executed commands to syslog
is an invasion of privacy; I'm surprised such a feature is even there
at all...
And this is why it's not easy to turn on.  It's there for that small
set of system administrators who need it to satisfy some external
auditing requirement (in some cases legally required) -- that's why it's
available in the first place.

I guess my customer set all fall into this category.

And it is not fail safe - anyone willing, or able to use another shell can execute a program such as vi, and then use a shell escape to start a different shell that is not logging. Which is why auditing is used, which is involuntary from an application perspective.

So, referring back to John's addition, this would be useful for case #2.

Where it could be useful for case #3 - would be if bash had (or maybe has) an option to display the configure arguments (which generally does not include -D flags), such as perl -V, or httpd -V.

Basically, if you have nothing to hide - it should not matter. More likely, it is a mechanism that can prove your innocence should there ever be any doubt about what you did, or did not do.

Even in Germany - which has the reputation for most "protective" privacy laws. To meet PCI compliance and others (I think even government in some sectors) - all commands are stored in order to perform an
audit in the case of a suspected security breach.

In any case, I understand that it is a sensitive topic - not one that I will be deciding.

I guess it might be worth a discussion to be able to see from a command-line option to know, one way or the other
if the feature is (potentially) active.

In short - Chet - as if I had a choice :p @ me - I bow to your wisdom!




reply via email to

[Prev in Thread] Current Thread [Next in Thread]